Add very basic ocsp stapling support.

This only allows access to the ocsp stapling response data. No verification or anything else at the moment.
2025-10-02 14:48:21 +00:00 · 2014-04-24 12:36:05 -07:00 · 2014-04-24 12:36:05 -07:00 · c24629abf4
commit c24629abf4
parent 9b7eb293f1
7 changed files with 41 additions and 2 deletions
--- a/scripts/site/local.bro
+++ b/scripts/site/local.bro
@ -81,5 +81,6 @@
 # Detect SHA1 sums in Team Cymru's Malware Hash Registry.
@load frameworks/files/detect-MHR
-# Load heartbleed detection. Only superficially tested, might contain bugs.
+# Uncomment the following line to enable detection of the heartbleed attack. Enabling
-@load policy/protocols/ssl/heartbleed
+# this might impact performance a bit.
 # @load policy/protocols/ssl/heartbleed
--- a/src/analyzer/protocol/ssl/events.bif
+++ b/src/analyzer/protocol/ssl/events.bif
@ -214,6 +214,8 @@ event ssl_session_ticket_handshake%(c: connection, ticket_lifetime_hint: count,
 ##
 ## c: The connection.
 ##
 ## is_orig: True if event is raised for originator side of the connection.
 ##
 ## length: length of the entire heartbeat message.
 ##
 ## heartbeat_type: type of the heartbeat message. Per RFC, 1 = request, 2 = response
@ -236,9 +238,21 @@ event ssl_heartbeat%(c: connection, is_orig: bool, length: count, heartbeat_type
 ##
 ## c: The connection.
 ##
 ## is_orig: True if event is raised for originator side of the connection.
 ##
 ## length: length of the entire heartbeat message.
 ##
 ## .. bro:see::  ssl_client_hello ssl_established ssl_extension ssl_server_hello
 ##    ssl_alert ssl_heartbeat
 event ssl_encrypted_heartbeat%(c: connection, is_orig: bool, length: count%);
 ## This event contains the OCSP response contained in a Certificate Status Request
 ## message, when the client requested OCSP stapling and the server supports it. See
 ## description in :rfc:`6066`
 ##
 ## c: The connection.
 ##
 ## is_orig: True if event is raised for originator side of the connection.
 ##
 ## response: OCSP data.
 event ssl_stapled_ocsp%(c: connection, is_orig: bool, response: string%);
--- a/src/analyzer/protocol/ssl/ssl-analyzer.pac
+++ b/src/analyzer/protocol/ssl/ssl-analyzer.pac
@ -389,6 +389,17 @@ refine connection SSL_Conn += {
 		return true;
 		%}
 	function proc_certificate_status(rec : SSLRecord, status_type: uint8, response: bytestring) : bool
 		%{
 		 if ( status_type == 1 ) // ocsp
 			{
 			BifEvent::generate_ssl_stapled_ocsp(bro_analyzer(),
 			  bro_analyzer()->Conn(), ${rec.is_orig},
 			  new StringVal(response.length(), (const char*) response.data()));
 			}
 		return true;
 		%}
 };
 refine typeattr Alert += &let {
@ -473,3 +484,7 @@ refine typeattr ApplicationLayerProtocolNegotiationExtension += &let {
 refine typeattr ServerNameExt += &let {
 	proc : bool = $context.connection.proc_server_name(rec, server_names);
 };
 refine typeattr CertificateStatus += &let {
 	proc : bool = $context.connection.proc_certificate_status(rec, status_type, response);
 };
--- a/src/analyzer/protocol/ssl/ssl-protocol.pac
+++ b/src/analyzer/protocol/ssl/ssl-protocol.pac
@ -341,6 +341,7 @@ type Certificate(rec: SSLRecord) = record {
 type CertificateStatus(rec: SSLRecord) = record {
 	status_type: uint8; # 1 = ocsp, everything else is undefined
 	length : uint24;
 	response: bytestring &restofdata;
 };
--- a/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.ocsp-stapling/.stdout
@ -0,0 +1 @@
 F, 1995
--- a/testing/btest/Traces/tls/ocsp-stapling.trace
+++ b/testing/btest/Traces/tls/ocsp-stapling.trace
--- a/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
+++ b/testing/btest/scripts/base/protocols/ssl/ocsp-stapling.test
@ -0,0 +1,7 @@
 # @TEST-EXEC: bro -C -r $TRACES/tls/ocsp-stapling.trace %INPUT
 # @TEST-EXEC: btest-diff .stdout
 event ssl_stapled_ocsp(c: connection, is_orig: bool, response: string)
 	{
 	print is_orig, |response|;
 	}